f5b67f3b27
The test failed with
> Test "test5 user should not be able to run commands under root" failed with
> error: "invalid literal for int() with base 10: ''"
since 2492da88ea
.
The reason for this is that `sudo(8)` writes the lecture to the
tty[1] and only as a fallback to stdout[2]. This means that the
`base64 --wrap 0` executed by `machine.execute()` doesn't affect the
text written to the terminal, however the lecture is part of the string
that's read from the VM via `shell.recv()`.
I confirmed the problem in an interactive test session[3]:
>>> command = "sudo -u test5 sudo -n -u root true"
>>> out_command = f"( set -euo pipefail; {command} ) | (base64 --wrap 0; echo)\n"
>>> machine.shell.send(out_command.encode())
84
>>> machine # [ 99.015512] sudo[877]: root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true
machine # [ 99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0)
machine # [ 99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed
machine # sudo: a password is required
machine # [ 99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5]
machine # [ 99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5
>>>
>>> x=machine._next_newline_closed_block_from_shell()
>>> print(x)
<newline>
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
<newline>
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
<newline>
<newline>
<newline>
>>>
Since the lecture isn't strictly necessary to confirm that
`security.sudo` works as expected, I decided to disable lecturing
inside the test, however we may want to fix the underlying problem in
the test-driver at some point.
[1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283
[2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120
[3] I replaced each empty line with `<newline>` to make sure these
aren't swallowed by git.
106 lines
4 KiB
Nix
106 lines
4 KiB
Nix
# Some tests to ensure sudo is working properly.
|
|
|
|
let
|
|
password = "helloworld";
|
|
|
|
in
|
|
import ./make-test-python.nix ({ pkgs, ...} : {
|
|
name = "sudo";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ lschuermann ];
|
|
};
|
|
|
|
nodes.machine =
|
|
{ lib, ... }:
|
|
with lib;
|
|
{
|
|
users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
|
|
users.users = {
|
|
test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
|
test1 = { isNormalUser = true; password = password; };
|
|
test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
|
|
test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
|
|
test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
|
|
test5 = { isNormalUser = true; };
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = false;
|
|
|
|
extraConfig = ''
|
|
Defaults lecture="never"
|
|
'';
|
|
|
|
extraRules = [
|
|
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
|
|
# errors being detected by the visudo checks.
|
|
|
|
# These should not create any entries
|
|
{ users = [ "notest1" ]; commands = [ ]; }
|
|
{ commands = [ { command = "ALL"; options = [ ]; } ]; }
|
|
|
|
# Test defining commands with the options syntax, though not setting any options
|
|
{ users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
|
|
|
|
|
|
# CONFIGURATION FOR TEST CASES
|
|
{ users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
|
|
{ groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
|
|
{ users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
|
|
];
|
|
};
|
|
};
|
|
|
|
nodes.strict = { ... }: {
|
|
users.users = {
|
|
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
|
|
noadmin = { isNormalUser = true; };
|
|
};
|
|
|
|
security.sudo = {
|
|
enable = true;
|
|
wheelNeedsPassword = false;
|
|
execWheelOnly = true;
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
''
|
|
with subtest("users in wheel group should have passwordless sudo"):
|
|
machine.succeed('su - test0 -c "sudo -u root true"')
|
|
|
|
with subtest("test1 user should have sudo with password"):
|
|
machine.succeed('su - test1 -c "echo ${password} | sudo -S -u root true"')
|
|
|
|
with subtest("test1 user should not be able to use sudo without password"):
|
|
machine.fail('su - test1 -c "sudo -n -u root true"')
|
|
|
|
with subtest("users in group 'foobar' should be able to use sudo with password"):
|
|
machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"')
|
|
|
|
with subtest("users in group 'barfoo' should be able to use sudo without password"):
|
|
machine.succeed("sudo -u test3 sudo -n -u root true")
|
|
|
|
with subtest("users in group 'baz' (GID 1337)"):
|
|
machine.succeed("sudo -u test4 sudo -n -u root echo true")
|
|
|
|
with subtest("test5 user should be able to run commands under test1"):
|
|
machine.succeed("sudo -u test5 sudo -n -u test1 true")
|
|
|
|
with subtest("test5 user should not be able to run commands under root"):
|
|
machine.fail("sudo -u test5 sudo -n -u root true")
|
|
|
|
with subtest("test5 user should be able to keep their environment"):
|
|
machine.succeed("sudo -u test5 sudo -n -E -u test1 true")
|
|
|
|
with subtest("users in group 'barfoo' should not be able to keep their environment"):
|
|
machine.fail("sudo -u test3 sudo -n -E -u root true")
|
|
|
|
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
|
|
strict.succeed('su - admin -c "sudo -u root true"')
|
|
|
|
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
|
|
strict.fail('su - noadmin -c "sudo --help"')
|
|
'';
|
|
})
|